HTC acknowledged a vulnerability Thursday that can expose a user's Wi-Fi password and SSID to a malicious application running on the phone.

HTC also said that a fix for the vulnerability has already been pushed to several phones, although others will need to be manually updated. HTC said that more details on the update would be available next week. HTC representatives were unable to be reached at press time to comment on which phones had been patched, which had not, and when those patches would be forthcoming.

Security architects Chris Hessing and Bret Jordan were credited with the vulnerability, which was published on the US-CERT Web site on Thursday.

"HTC takes customer data security very seriously, an HTC spokesman said in an email. "If there is a known breach of sensitive customer data, our priority is customer notification along with corrective actions. It is our policy, and industry standard procedure, to protect customers, which sometimes necessitates not increasing data security risks by disclosing minor breach issues where no malicious applications are detected. In those cases, premature disclosure of vulnerabilities could spur creation of malicious apps to take advantage of any vulnerability before it is fixed. For this specific WiFi bug issue, we worked closely with Google and the security researchers from the date of notification and throughout this process to ensure that the majority of affected HTC phones had already received the fix prior to the vulnerability being made public."

According to the vulnerability details, a malicious application can harvest the Wi-Fi SSID and credentials and export them to the Internet, if certain conditions are met.

"Any Android application on an affected HTC build with the android.permission.ACCESS_WIFI_STATE permission can use the .toString() member of the WifiConfiguration class to view all 802.1X credentials and SSID information," the vulnerability said. "If the same application also has the android.permission.INTERNET permission then that application can harvest the credentials and exfiltrate them to a server on the Internet."

HTC has already suffered a major setback with its fight against Apple, which successfully persuaded the U.S. ITC from importing HTC phones that use a data-tapping patent. That patent allows users viewing a Web page with a phone number embedded in it to tap that number and dial it via the dialing application. HTC said it would remove that feature from all of its phones.

Late last year, an update to several Android-based HTC devices resulted in the installation of tools that could collect a vast amount of personal data without permission. HTC and the carriers eventually rolled out a fix.

Editor's Note: This story was updated at 10:07 AM on Monday, Jan. 6, 2012 with a statement with HTC.

Mark Hachman Mark joined ExtremeTech in 2001 as the news editor, after rival CMP/United Media decided at the time that online news did not make sense in the new millennium.
Mark stumbled into his career after discovering that writing the great American novel did not pay a monthly salary, and that his other possible career choice, physics, required a degree of mathematical prowess that he sorely lacked.
Mark talked his way into a freelance assignment at CMP’s Electronic Buyers’ News, in 1995, where he wrote the...
More »